What is DevSecOps?

In the area of agile software de­vel­op­ment, product security is taking on an ever-expanding role. In this time of con­tinu­ous delivery and con­tinu­ous in­teg­ra­tion, however, the de­vel­op­ment process is being subjected to a challenge that should not be un­der­es­tim­ated. As such, ever more companies are making use of the DevOps approach, in which de­vel­op­ment and sub­sequent op­er­a­tions are both closely in­ter­twined with a security component from the very start: hence, the ab­bre­vi­ation DevSecOps. DevSecOps presents a ready-made solution for problems that many software companies face on a daily basis. The solution equally takes into account the demands of speedy de­vel­op­ment and security.

DevSecOps optimises the use of agility and allows for swift reaction, much like the DevOps approach, because the security aspect is already taken into account during the actual de­vel­op­ment phase. This clearly dis­tin­guishes the system from con­ven­tion­al ap­proaches, where a security team usually needs to intervene once a product has been finalised.

The DevSecOps method guar­an­tees high-security standards for quick and agile de­vel­op­ment methods including con­tinu­ous delivery and con­tinu­ous in­teg­ra­tion. The often very high-security re­quire­ments must already be included in the pro­gram­ming for ongoing op­er­a­tions. This makes good com­mu­nic­a­tion between the security, de­vel­op­ment, and IT op­er­a­tions teams fun­da­ment­ally important. In this context, an in­ter­dis­cip­lin­ary approach is decisive for the success of the entire de­vel­op­ment process.

For the past few years, the security aspect of software de­vel­op­ment has been ascribed growing sig­ni­fic­ance. Because of the fast pace of de­vel­op­ment, ac­com­pan­ied by in­creas­ingly shorter time intervals between different versions, adhering to security standards is becoming an in­creas­ingly greater challenge. For many companies, the challenge becomes in­sur­mount­able if the security aspect is only con­sidered after the actual de­vel­op­ment stage has been completed. Companies often have to decide between enhancing security and the greater ex­pendit­ure of time alongside it, or lower security standards at the advantage of shorter release cycles. Many providers often go for the latter option. However, DevSecOps offers an out­stand­ing solution for bringing together high security and short release cycles.

Earlier solutions for the im­ple­ment­a­tion of security features and security protocols cannot be compared to the new and faster variants of agile software de­vel­op­ment. Only by in­teg­rat­ing security standards into the de­vel­op­ment stage of the software and its inclusion in the de­vel­op­ment process can the desired level of security be guar­an­teed, even during short de­vel­op­ment and pro­duc­tion cycles. However, very few companies actually take this approach. This is evident in the fact that some products lack security due to shorter version cycles, and that those security holes can often only be closed by makeshift ‘day-one patches’ .

When aiming for a high degree of security, it must be accepted that de­vel­op­ment will take longer or al­tern­at­ively users can turn to DevSecOps in order to achieve the desired result.

Let’s use a practical example from a private user to il­lus­trate the above. The app in our example is a household budgeting tool that can be used on a smart­phone. The app allows a user to record, cat­egor­ise, colour-code, and pri­or­it­ise various incomes and ex­pendit­ures. In this case, very little sensitive data comes into play, so there is not much to take into account in terms of security.

However, let’s say that a new function is added to the app, in which receipts can be scanned and auto­mat­ic­ally recorded. In this case, since there is a lot of data to process and to be evaluated on servers, secure com­mu­nic­a­tion and pro­cessing take on a much more important role. If this security aspect is only taken into account in ret­ro­spect, then it can take half a year for the new function to be deployed.

Let’s say that another function is to be added to the app. In this case, ex­pendit­ures are to be in­teg­rated into the app directly from the user’s online banking account. This implies the pro­cessing of extremely sensitive data, and the in­teg­ra­tion of such a solution while also adhering to high security standards could even­tu­ally take over a year. By that time, the com­pet­i­tion will already have gained a lot of ground, and your own product may no longer be in­ter­est­ing to the market.

However, if the security aspect is directly taken into account during pro­gram­ming and de­vel­op­ment through DevSecOps, then the time needed to release the new function, without com­prom­ising the security of the product, can be shortened sig­ni­fic­antly. Often, security is improved in the process, since it can be in­teg­rated directly into the pro­gram­ming, and does not take the form of a security patch to be slapped on to an already-existing product. As such, the company benefits from shorter version cycles and the user benefits from con­sist­ent software updates.

The benefits of DevSecOps are obvious. If a company decides to conduct the de­vel­op­ment of their own products with the modern DevOps system due to in­creas­ing demand and the greater chal­lenges they are facing, they will often see an un­ex­pec­tedly high increase in pro­duc­tion and de­ploy­ment speed for different software versions. However, security is often left too late during the process. If it is only in­teg­rated into a product once completed, as is often the case, this can not only lead to problems related to the func­tion­al­ity of the software, but its de­ploy­ment will be no­tice­ably delayed.

However, should the security aspect be taken into account while the de­vel­op­ment process is ongoing, then the situation changes com­pletely. In that case, the process is barely slowed down at all, since the security team will also benefit from the different mon­it­or­ing solutions and auto­ma­tion. In addition, the de­vel­op­ment and op­er­a­tions teams are able to take into account all security-related factors during de­vel­op­ment, leading to a very clear reduction in the number of security issues. As such, secure and stable software variants can still be produced in a short amount of time and directly released to the end clients. Both clients and companies benefit from this new approach.

Just like with DevOps, the success of the DevSecOps system and its ef­fi­ciency are dependent on how well in­di­vidu­al employees and teams are able to handle the trans­ition. Without an open company culture and open exchange between teams and different de­part­ments, the DevSecOps concept will not function properly. As a result, it is important not only for the benefits of the new system to be openly com­mu­nic­ated, but also to ensure that the changes are well-co­ordin­ated across teams and employees.

If employees continue to resist aspects of the system, such as the in­teg­ra­tion of security experts into the actual de­vel­op­ment process, this could lead to con­sid­er­able dif­fi­culties.

The in­teg­ra­tion of important security features is vital in the software de­vel­op­ment and IT op­er­a­tions sectors. If the necessary security measures are only taken into account after the actual de­vel­op­ment has been completed, this will not only lead to very lengthy delays, but will also allow errors to creep up that will not be subjected to a com­pre­hens­ive review process. However, should the security aspect be in­teg­rated directly into the de­vel­op­ment of software, software updates, and software versions through DevSecOps, the time spent im­ple­ment­ing security measures will be markedly reduced and quality will also be no­tice­ably improved through automated checks. As such, companies will benefit by not only using DevOps in their op­er­a­tions, but also employing DevSecOps to integrate data and software security directly into the de­vel­op­ment process.